Delegated Admin roles

Similar Messages

• Delegated admins adding roles, displaying unexpected.

  Hi all
  I need to paint a picture for this one so please be patient.
  I have a delegated admin that I have given access to the organization called internal using the internal tabbed user form. They have capabilities to add users, edit, update, and I have included only specific Business Roles that they can add which excludes all other roles. This works perfectly.
  I have a separate admin role that allows a delegated admin to do the same as above with a different set of specific business roles to an organizations call external using external tabbed user form. this works perfectly as well.
  NOTE: The business roles are only available to their respective organizations.
  My dilemma:
  When I add both roles to 1 delegated admin I get behavior that I think could be different.
  All the correct forms work, all the fields are correct everything works as expected except the roles.
  When I select add roles it actually shows up the combination of both sets of business roles that the above capabilities gives me access to..not the ones assigned to their respective organization.
  Now based on
  1. The roles are only available to users in their respective organizations
  2. And i have excluded roles from the other organizations
  3. And I am selecting or creating a user in their specific organization
  Should this display this way? And if so is there anything else I can do to just display the roles that are available to the organization?
  Cheers

• Delegated Admin and non-flat user/group structures

  Hello, I am trying to build a directory structure with several containers under an organization used to store different portions of userdata and group data (i.e. not only ou=people and ou=group, but also a few ou's like them). Server software is from OUCS 7u2 release. Users in "other" containers are populated into LDAP (ODSEE 11) by replication, filling in all the same attributes as a freshly DA-created account has.
  The Delegated Admin interface and other parts of the software accept this and work okay with this setup, displaying user information, allowing logins and so on - except for attempts to edit user accounts in the alternate containers in the DA (i.e. add/remove service packages, change quotas, etc.). First I've verified that this is not an LDAP problem - I can use both command-line ldapmodify and an LDAPBrowser GUI to edit the entries with no hiccups.
  I tracked that when trying to save account information for accounts in non-standard containers, the DA still tries to use a hard-coded path (i.e. uid=USERNAME,ou=people,o=DOMAINNAME,dc=DOMAIN,dc=NAME) despite the fact that the user account is (and DA displayed it from) uid=USERNAME,ou=morePeople,o=DOMAINNAME,dc=DOMAIN,dc=NAME.
  Possibly, this "hardcoding" stems from DA configuration in WEB-INF/classes/sun/comm/cli/server/servlet/serverconfig.properties which does list components of the LDAP structure:
  # Ldap configuration.
  # List of ldap hosts. Form is <ldaphost>:<portnumber>. (Default port = 389)
  # add additional hosts with ldaphost-<consecutive number>
  # Schema type is either "1" or "2".
  # Reconnect interval is in seconds
  # Group and people container is dn from organization dn (e.g ou=people)
  ldaphost-1=oucsldap01:389
  ldaphost-2=oucsldap02:389
  ldaphost-suffix=dc=DOMAIN,dc=NAME
  ldaphost-dcsuffix=dc=DOMAIN,dc=NAME
  ldaphost-maxcount=50
  ldaphost-schematype=2
  ldaphost-reconnectinterval=60
  ldaphost-peoplecontainer=ou=People
  ldaphost-groupcontainer=ou=Groups
  ldaphost-orgadminrole=cn=Organization Admin Role
  While the organization root dn is not explicit here (and shouldn't be), the default people container is... I might guess a coding error logic like this: indeed, the "ou=People" container should be used by default when creating a user via DA; as a likely error, it might also be used when editing existing users - instead of their existing full DN/parent DN.
  Questions:
  1) Does anyone have a working configuration with several user/group containers within an organization like this? Would you care to share details and workarounds, if were needed?
  2) I think that possibly the "shared domain/organization hosting" mode might help here - at least it is expected to have several LDAP trees with their delegated administrators performing as a single e-mail domain. Before I go and reconfigure everything, I'd love to hear if there are any success stories with this route? Is it a proper solution (or THE solution) for such config?
  Thanks,
  //Jim Klimov

  I wanted to follow up that reconfiguring the directory structure according to shared domain hosting, with branches for ISW-synchronized accounts as one of the sub-organizations which share the domain, and manually created OUCS-only accounts being in another sub-organization. This works for both messaging components and the DA, as long as UIDs are in ou=People in their organization. Somewhat unfortunately, ISW config seems to allow only one DSEE target branch and puts groups (CN) there as well. Well, for our needs to edit user attributes and service packages via DA, this suffices. Sometimes there are hiccups (Can not save changes), but they are intermittent and harder to trace debug; usually go away with restart of the DA web container. The DSEE LDAP instances are configured with plugins to enforce uid uniqueness across the organization and uniqueness of values of messaging email address attributes (mail, mailAlternateAddress, mailEqiuvalentAddress) to avoid mixups between user accounts in different branches.
  Also, we had a problem with Calendar server after migrating the LDAP entries: since our deployment used the nsUniqueID for calendar user identification, relocation of entries (the way we did it) generated new values for new entries and users got new empty caledar databases. On this POC this was not a major problem, and newer OUCS releases with a davUniqueID attribute should specifically be immune to this problem. However, for others trodding this path I can suggest that they export the LDAP database into LDIF including the unique IDs, recreate the suffixes as needed (the ISW target organization in DSEE should be a separate LDAP database suffix), change the LDIF entry pathnames, and import the LDIF anew. This would wipe old LDAP data and should add old nsUniqueIDs to relocated entries (unlike recreation via ldapadd or relocation via ldapmodrdn).
  We have also hit a problem with DA refusing to render the list of accounts (returning 0 or 25 empty entries in a table). The LDAP logs showed that on the LDAP side all is ok, and expected amount of replies was located. Pattern searches often produced the proper table with a subset of users in DA. Ultimately, we linked the problem to ISW binary base64-encoded attributes (dspswuserlink et al; some of those values also garbaged output of commadmin queries in a terminal) and created an LDAP ACI which forbade our DA-admin user to read,search,compare these attributes. This solved the problem for us. I wonder if a more generic solution is possible, so as to apply this ACI not to an explicitly named admin user but to any users with DA admin privileges (by group or role? which string, to cover them all in advance)? Or, perhaps, nobody except the ISW user account should see these ISW attributes?
  Hope this report helps others who would try to pioneer this path of messaging integration
  //Jim Klimov

• Delegated Admin - Problem

  I just installed the SC 6 Update 2 all component in the same server....when i try to create a user with delegate admin i have the following error
  /opt/sun/comms/da/bin/commadmin -v user create -D admin -n domain.com -l username -d domain.com -w password -S mail,cal -H servername.domain.com
  FAIL
  *5088:Error message required. missing resource string -> norgsmd null*
  the only way to make work is if I remove the " -S mail,cal". I enable mail & cal to be use with convergence, the object exist in the LDAP because the admin user that was created with the installation has all the objectsclass needed for calendar and mail, so if I login into convergence I see the calendar and email folders...
  and then a I run the command /opt/sun/comm/im/sbin/imadmin assign_services to assign the services to all users in a specific domain and it executes without problem but without changes...the users still have the same objectclass
  the complete output of the command is :
  bash-3.00# /opt/sun/comms/da/bin/commadmin -v user create -D admin -n domain.com -l username -d domain.com -w 12345 -S mail,cal
  [Debug]: DBG:Object = user ; task = create
  [Debug]: default domain from Properties: domain.com
  [Debug]: IShost from Properties: mail.domain.com
  [Debug]: ISPort from Properties: 80
  [Debug]: Contacting : http://mail.domain.com:80/commcli/auth
  [Debug]: To servlet: domain=domain.com&username=admin&password=12345&charsetenc=UTF-8
  [Debug]: cookie => JSESSIONID=6777b671e5fb7eee49f1851ec1a3; Path=/commcli
  [Debug]: RECV: OK
  [Debug]: RECV: OK
  [Debug]: RECV: dn: uid=admin, ou=People, o=domain.com,dc=domain,dc=com
  [Debug]: RECV: nsroledn: cn=Top-level Admin Role,dc=domain,dc=com
  [Debug]: RECV:
  [Debug]: DBG: before getobjtaskargs
  [Debug]: In getObjTaskArgs for: user; create
  [Debug]: Contacting : http://mail.domain.com:80/commcli/climap
  [Debug]: Sending to servlet: task=create&object=user
  [Debug]: getObjTaskArgs Status: 0
  [Debug]: Number of servlets: 1
  [Debug]: Servlet Name: TaskManager
  [Debug]: Servlet args: task=CreateUser
  [Debug]: Servlet args: objecttype=User
  [Debug]: Valid Options Array: 8
  d, true, , false, true, user's domain, domain, ,
  l, true, , true, true, user's login ID, add_uid, ,
  F, true, , true, true, user's first name, add_givenname, ,
  L, true, , true, true, user's last name, add_sn, ,
  I, true, , false, true, user's middle initial, add_initials, ,
  W, true, , true, true, user's password, add_userpassword+confirm_userpassword, ,
  S, true, , false, true, service(s) to be added , add_services, mail={H;true;#;false;true;user's mail host;add_mailhost;#},{E;true;#;false;true;user's email address;add_mail;#}::cal={E;true;#;false;true;user's email address;add_mail;#},{B;true;#;false;true;user's back end calendar server;add_icsdwphost;#},{J;true;#;false;true;first day of the week;add_icsfirstday;#},{T;true;#;false;true;user's timezone;add_icstimezone;#},{k;true;#;false;true;calendar version - legacy or hosted domain;cal_version;#},
  A, true, , false, true, attribute to add, <attr name>:<value>, add_, ,
  [Debug]: DBG: getObjTaskArgs done
  [Debug]: servInfo len = 1
  Enter user's password: 123456789
  [Debug]: argVal =domain.com
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com
  [Debug]: argVal =username
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username
  [Debug]: argVal =test
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test
  [Debug]: argVal =test
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test
  [Debug]: argVal =123456789
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test&add_userpassword=123456789
  [Debug]: argVal =123456789
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test&add_userpassword=123456789&confirm_userpassword=123456789
  [Debug]: argVal =mail
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test&add_userpassword=123456789&confirm_userpassword=123456789&add_services=mail
  [Debug]: argVal =cal
  [Debug]: servCommand =task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test&add_userpassword=123456789&confirm_userpassword=123456789&add_services=mail&add_services=cal
  [Debug]: Contacting : http://mail.domain.com:80/commcli/TaskManager
  [Debug]: To servlet: task=CreateUser&objecttype=User&domain=domain.com&add_uid=username&add_givenname=test&add_sn=test&add_userpassword=123456789&confirm_userpassword=123456789&add_services=mail&add_services=cal
  [Debug]: RECV: FAIL
  *[Debug]: RECV: 5088:Error message required. missing resource string -> norgsmd null*
  [Debug]: CLITask: status returned =FAIL
  FAIL
  *5088:Error message required. missing resource string -> norgsmd null*
  [Debug]: DBG: doOne returned code=6
  [Debug]: Contacting : http://mail.domain.com:80/commcli/logout
  [Debug]: Logout ...
  any help will much appreciated
  CA

  KenGra wrote:
  I found the problem, the default domain that was created during the installation did not have all the objectclass needed, such as calendaruser etc....Did you remember to run the "./commadmin domain modify -S mail -S cal -H mailhost" for the default domain after the installation of Delegated Administrator?
  Regards,
  Shane.

• Delegated Admin and User Management in WLP 9.2

  Hi,
  I've made Delegated Administrator role and a user for it. The user is Delegated Admin for our users and groups. Still that user cannot create new users, only new groups.
  The error message that shows when creating new user is "The subject does not have access to the specified group".
  What should I do to make it work ?
  Regards,
  Tanja

  Unfortunately, you've run into a bug in the product. See CR282051 in the WLP 9.2 release notes.
  http://edocs.bea.com/wlp/docs92/relnotes/relnotes.html#wp1147925
  If you have a support contract, you might be able contact BEA Support to see if a patch might be available.

• Delegated Admin login fail

  I installed Solaris 9 05/9 and JES05Q4 in a Sun Fire V440 recently.
  I chose these components only:
  Directory server
  Administration server
  Web server
  Access manager
  Messaging server
  Delegated administrator
  Directory preparation tools
  I can use commadm to created users after installation and initial configuration, but I can't login to the delegated admin with any account. http://server.mydomain.com/da/DA/Login
  After I check the DA log file, it shows:
  WARNING: User &#91;admin&#93; has no valid role assigned, aborting login
  What kind of role required for da login ?
  Thanks in advance for any help.
  dx

  I recommend that you post your question to the Messaging Server forum (also listed at the bottom of the Java ES forums page):
  http://swforum.sun.com/jive/forum.jspa?forumID=15
  You might also want to search that forum for similar problem reports.

• Delegated Admin- Adding user causes unhandled exceptions

  Now that I've finally settled on 05q1, Im trying to create accounts using the delegated admin GUI.
  I click on my domain, then on "New". I then fill out first, last name, role is Business OA, no postal address, assign no service package, change the loginId and two passwords. At this point, when I click "Next", I get a "Server Error" screen with this information:
  This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.
  The messages below show up in /opt/sun/webserver/https-imap.domain.com/logs/errors. I couldn't find any other error for ds, identity, admin server, etc. After this exception, I also have to log back in to DA. The messages are quite vague (from an administrative standpoint) so any help is appreciated!
  [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: Ap
  plicationDispatcher[da] WEB2649: Servlet.service() for servlet jsp threw exception
  javax.servlet.ServletException
  at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:536)
  at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:559)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
  at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
  at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
  at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
  at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
  at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
  at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
  at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
  at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
  at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
  at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
  ----- Root Cause -----
  javax.servlet.jsp.JspException
  at com.sun.web.ui.taglib.wizard.CCWizardTag.getWizardPageHTML(CCWizardTag.java:1577)
  at com.sun.web.ui.taglib.wizard.CCWizardTag.appendPageletBodyContentHTML(CCWizardTag.java:668)
  at com.sun.web.ui.taglib.wizard.CCWizardTag.appendWizardBodyHTML(CCWi
  [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: WE
  B2798: [da] ServletContext.log(): [ERROR] Uncaught application exception
  com.iplanet.jato.NavigationException: Exception encountered during forward
  Root cause = [javax.servlet.jsp.JspException]
  at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380)
  at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
  at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
  at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
  at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
  at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
  at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
  at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
  Root cause:
  javax.servlet.jsp.JspException
  at com.sun.web.ui.taglib.wizard.CCWizardTag.getWizardPageHTML(CCWizardTag.java:1577)
  at com.sun.web.ui.taglib.wizard.CCWizardTag.appendPageletBodyContentHTML(CCWizardTag.java:668)
  at com.sun.web.ui.taglib.wizard.CCWizardTag.appendWizardBodyHTML(CCWizardTag.java:658)
  at com.sun.web.ui.taglib.wizard.CCWizardTag.getHTMLStringInternal(CCWizardTag.java:469)
  at com.sun.web.ui.taglib.common.CCTagBase.doEndTag(CCTagBase.java:114)
  at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:260)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
  at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
  at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
  at org.apache.catalina.cor
  [11/Jan/2006:10:32:02] failure (18149): for host xx.xxx.xxx.xxx trying to POST /da/wizard/WizardWindow, service-j2ee reports: St
  andardWrapperValve[WizardWinServlet]: WEB2792: Servlet.service() for servlet WizardWinServlet threw exception
  javax.servlet.ServletException: Uncaught exception
  at com.iplanet.jato.ApplicationServletBase.onUncaughtException(ApplicationServletBase.java:1415)
  at com.sun.comm.da.WizardWinServlet.onUncaughtException(WizardWinServlet.java:98)
  at com.iplanet.jato.ApplicationServletBase.fireUncaughtException(ApplicationServletBase.java:1164)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:639)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
  at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:213)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:280)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:212)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:209)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:509)
  at com.iplanet.ias.web.connector.nsapi.NSAPIProcessor.process(NSAPIProcessor.java:161)
  at com.iplanet.ias.web.WebContainer.service(WebContainer.java:580)
  ----- Root Cause -----
  com.iplanet.jato.NavigationException: Exception encountered during forward
  Root cause = [javax.servlet.jsp.JspException]
  at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380)
  at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
  at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
  at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
  at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
  at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)
  at com.sun.comm.da.WizardWinServlet.service(WizardWinServlet.java:111)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:193)
  at com.sun.comm.da.LoginFilter.doFilter(LoginFilter.java:128)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.

  Might it have something to do with having not assigned service package? I read in the 05Q4 notes that in 05Q1, a service package had to be defined. I just tried to allocate some service packages to the domain and I get the same "Server Error" page when I click "Next" on the page where I choose how many service packages to allocate (i.e. the screen right before the "Summary" page)
  At least the errors are a little more informative in the webserver error log (sample below)
  I chose 3 service packages and attempted to allocate 50 each, No anonymous logins for calendar server and put in a calendar server hostname. All other fields were left to default.
  [12/Jan/2006:15:14:13] failure (18149): for host 63.241.196.147 trying to POST /da/wizard/WizardWindow, service-j2ee reports: Ap
  plicationDispatcher[da] WEB2649: Servlet.service() for servlet jsp threw exception
  javax.servlet.ServletException: String index out of range: -15
  at org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:536)
  at jsps.com_sun_web_ui._jsp._wizard._WizardWindow_jsp._jspService(_WizardWindow_jsp.java:559)
  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at com.iplanet.ias.web.jsp.JspServlet$JspServletWrapper.service(JspServlet.java:687)
  at com.iplanet.ias.web.jsp.JspServlet.serviceJspFile(JspServlet.java:459)
  at com.iplanet.ias.web.jsp.JspServlet.service(JspServlet.java:375)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:908)
  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:772)
  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:471)
  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:382)
  at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:340)
  at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
  at com.sun.web.ui.view.wizard.CCWizard.handleNextButtonRequest(CCWizard.java:730)
  at sun.reflect.GeneratedMethodAccessor37.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)
  at com.iplanet.jato.view.command.DefaultRequestHandlingCommand.execute(DefaultRequestHandlingCommand.java:183)
  at com.iplanet.jato.view.RequestHandlingViewBase.handleRequest(RequestHandlingViewBase.java:308)
  at com.iplanet.jato.view.ViewBeanBase.dispatchInvocation(ViewBeanBase.java:802)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:740)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandlerInternal(ViewBeanBase.java:760)
  at com.iplanet.jato.view.ViewBeanBase.invokeRequestHandler(ViewBeanBase.java:571)
  at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:957)
  at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
  at com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:473)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:807)

• Add ldap user to Delegate Admin role programmatically

  Dear all,
  I have problem with
  @Control
  private DelegationRoleManagerControl roleControl;
  roleControl.addUserToRole(EWPConstants.USER_DA_ROLE_NAME,username,ResourceContext.createResourceContext(getRequest(),false));
  I used that control to add user to delegate admin role. It is working fine on admin server.
  But after we deploy on managed server (stand-alone), we get this exception intermittently.
  15 Sep 2009 12:59:40 [[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR ewp.control.pageflow.login.LoginController - login():
  com.bea.p13n.entitlements.common.PolicyMgmtAccessException: Attempt to access Entitlement Policy Mgmt API by user in invalid role. Entitlement Policy operation attempted by disallowed user ["principals=[ewpwlpuser01]"].
  at com.bea.p13n.entitlements.management.internal.SecurityHelper.isWLPAdminRole(SecurityHelper.java:881)
  at com.bea.p13n.entitlements.management.internal.RolePolicyDelegate.roleExists(RolePolicyDelegate.java:387)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.getGlobalRoleExpression(RDBMSRolePolicyManager.java:1702)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1421)
  at com.bea.p13n.entitlements.management.internal.RDBMSRolePolicyManager.addGlobalRoleUser(RDBMSRolePolicyManager.java:1388)
  at com.bea.p13n.entitlements.management.RolePolicyManager.addGlobalRoleUser(RolePolicyManager.java:514)
  at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.addPredicatesToGlobalDARole(DelegationRolePolicyDelegate.java:614)
  at com.bea.p13n.delegation.management.internal.DelegationRolePolicyDelegate.updateRole(DelegationRolePolicyDelegate.java:254)
  at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:431)
  at com.bea.p13n.delegation.management.DelegationRoleManager.updateRole(DelegationRoleManager.java:398)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUsersToRole(DelegationRoleManagerControlImpl.java:76)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlImpl.addUserToRole(DelegationRoleManagerControlImpl.java:223)
  at com.bea.portal.tools.da.controls.DelegationRoleManagerControlBean.addUserToRole(DelegationRoleManagerControlBean.java:295)
  at ewp.control.pageflow.login.LoginController.login(LoginController.java:126)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:585)

  hi
  it should work even if the managed server is not part of the cluster.
  Again do you get this error randomly or can you replicate it?
  Its possible that your Database / LDAP is out of sync. Can you access portal admin console and can you see if the default two visitor entitlements show and you dont get any error saying PortalSystemAdministrator is not valid?
  Also you can just delete the managed server directory (under the domain/servers) it should recreate the LDAP (assuming admin server is running)
  regards
  deepak

• Jes3 and Delegated Admin

  I'm setting up a demo of JES3 Messaging for a customer with the Delegated Admin. It seems to work for I can create users with the correct attributes. These users can log into Messagent express and can see their mail but cannot send outgoing mail. Also I can't pop from the command line fror any of these users but sending mail to them from he command line does work. This seems to be probles with MailAllowed Services, but it seems ok on a ldapsearch (see below).
  Synopsis of results:
  I can send mail to these users with a telnet to port 25. But MExpress canot send mail from any of these users.
  Messaging Express smtp error:
  "Not authorized to sned messages"
  But MExpress get's incoming mail for these users.
  Messager Express gets mail for the users but pop fails:
  Telnet <server> 110
  User testuser2
  pass password
  "-ERR [AUTH] Not authorized to login as specified user"
  ldapsearch output for testuser2
  uid=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com
  psIncludeInGAB=true
  uid=testuser2
  iplanet-am-modifiable-by=cn=Organization Admin Role,o=myjazz.com,dc=myjazz,dc=com
  givenName=Test
  [email protected]
  mailUserStatus=active
  sn=User2
  cn=Test User2
  inetCOS=gold
  preferredLocale=en
  mailHost=bigun.myjazz.com
  objectClass=userpresenceprofile
  objectClass=top
  objectClass=iplanet-am-managed-person
  objectClass=iplanet-am-user-service
  objectClass=inetadmin
  objectClass=organizationalperson
  objectClass=person
  objectClass=inetuser
  objectClass=inetlocalmailrecipient
  objectClass=iplanetpreferences
  objectClass=ipuser
  objectClass=inetorgperson
  objectClass=inetsubscriber
  objectClass=inetmailuser
  inetUserStatus=Active
  userPassword={SSHA}I8oftLKYhg0DzYAzCh1UfzaluWNuKVNIjXO7RQ==
  mailDeliveryOption=mailbox
  preferredLanguage=en
  nswmExtendedUserPrefs=meDraftFolder=Drafts
  nswmExtendedUserPrefs=meSentFolder=Sent
  nswmExtendedUserPrefs=meTrashFolder=Trash
  nswmExtendedUserPrefs=meInitialized=true
  pabURI=ldap://bigun.myjazz.com:389/ou=testuser2,ou=People,o=myjazz.com,dc=myjazz,dc=com,o=pab
  mailAllowedServiceAccess=+imaps:ALL$+pops:ALL$+smtps:ALL$+http:ALL
  mailMsgMaxBlocks=700
  mailMsgQuota=3000
  mailQuota=8000000

  I had the same problem. When I created a user account through the Delegated Admin interface the user could log into Communications Express, but was unable to send outgoing email. I then created another user account using the command below and this user is able to send email. I have not quite figured out the significany difference yet.
  ./commadmin user create -D admin -w <password> -X host.domain.com -n domain.com -d hosteddomain.com -l test5 -F Test5 -L User -W pass -S mail,cal -k legacy -E [email protected] -H host.domain.com

• Delegated Admin Deleted org and attribute violation

  I'm using Sun Messaging Server 6 and Delegated Administrator 6.3-0.09. I've created an organization, and got everything to work just fine. Then I deleted it with the GUI and then used commadmin to delete and purge it, but now when I try to make one of the same name and domain it says "Attribute uniqueness violated." I've checked the LDAP DB directory and its not there.
  Also I did the same with some other domains (creating and deleting) with commadmin and it says "Conflicts with deleted Organization". Those domains are still in the LDAP DB and I googled around and I set the mailDomainStatus from "active" to "removed" with ldapmodify. But commadmin domain purge still doesn't get rid of it. I'm running out of ideas. Anybody have any ideas?
  Thanks

  Hi Jay,
  Yes you're probably right about it being a different issue.
  1) Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)
  libimta.so 6.2-7.05 (built 12:18:44, Sep 5 2006)
  SunOS msg01 5.10 Generic_118833-24 sun4v sparc SUNW,Sun-Fire-T200
  Delegated Administrator 6.3-2.02 (built Mar 7, 2006)
  Sun Java System Access Manager 7 2005Q4
  Solaris is patched with the latest and greatest. I had the same issue before patching Messaging Server and DA.
  2) I've created a number of organizations and users using DA, that worked fine, commnications express and calendar also both appear to work just fine.
  I can remove users just fine, before commadmin domain purge, I run msuserpurge and csclean.
  Now, when I want to delete the actual organization they obviously get marked as "deleted" and I have to use -g 0 when I do commadmin domain purge, but it doesn't work. commadmin domain purge appears to work, I get no errors, even in verbose mode it looks fine, except everything says the same in LDAP.
  I've replaced the actual domain with acme.com :)
  # ./commadmin domain purge -v -D admin -w password -n acme.com -d "*" -g 0 -X accm01.acme.com -p 80
  [Debug]: DBG:Object = domain ; task = purge
  [Debug]: default domain from Properties: acme.com
  [Debug]: IShost from Properties: accm01.acme.com
  [Debug]: ISPort from Properties: 80
  [Debug]: Contacting : http://accm01.acme.com:80/commcli/auth
  [Debug]: To servlet: domain=acme.com&username=admin&password=password&charsetenc=UTF-8
  [Debug]: cookie => JSESSIONID=C60C53354E7A3CC9DFE8BA50BE3041B3;Path=/commcli
  [Debug]: RECV: OK
  [Debug]: RECV: OK
  [Debug]: RECV: dn: uid=admin, ou=People, o=acme.com,dc=acme,dc=com
  [Debug]: RECV: datasource: Sun ONE Messaging Server Installer
  [Debug]: RECV: objectclass: ipUser
  [Debug]: RECV: objectclass: top
  [Debug]: RECV: objectclass: iplanet-am-managed-person
  [Debug]: RECV: objectclass: iplanet-am-user-service
  [Debug]: RECV: objectclass: icsCalendarUser
  [Debug]: RECV: objectclass: iPlanetPreferences
  [Debug]: RECV: objectclass: person
  [Debug]: RECV: objectclass: inetAdmin
  [Debug]: RECV: objectclass: inetMailUser
  [Debug]: RECV: objectclass: userPresenceProfile
  [Debug]: RECV: objectclass: inetorgperson
  [Debug]: RECV: objectclass: inetLocalMailRecipient
  [Debug]: RECV: objectclass: organizationalPerson
  [Debug]: RECV: objectclass: inetUser
  [Debug]: RECV: nsroledn: cn=Top-level Admin Role,dc=acme,dc=com
  [Debug]: RECV: mailquota: -1
  [Debug]: RECV: loginid: admin
  [Debug]: RECV: uid: admin
  [Debug]: RECV: userpassword: {SSHA}RDI/jttF2mJBn/guc4zi74WupckeR+B+zjCPZA==
  [Debug]: RECV: mail: [email protected]
  [Debug]: RECV: givenname: Store
  [Debug]: RECV: mailuserstatus: active
  [Debug]: RECV: icssubscribed: [email protected]:[email protected]:anonymous
  [Debug]: RECV: sn: Top Level Admin
  [Debug]: RECV: surname: Top Level Admin
  [Debug]: RECV: cn: Top Level Admin
  [Debug]: RECV: maildeliveryoption: mailbox
  [Debug]: RECV: icscalendarowned: [email protected]:anonymous$
  [Debug]: RECV: memberof: cn=Service Administrators,ou=Groups,dc=acme,dc=com
  [Debug]: RECV: initials: TLA
  [Debug]: RECV: mailhost: comx01.acme.com
  [Debug]: RECV: mailmsgquota: -1
  [Debug]: RECV: iplanet-am-user-login-status: Active
  [Debug]: RECV: inetuserstatus: active
  [Debug]: RECV:
  [Debug]: DBG: before getobjtaskargs
  [Debug]: In getObjTaskArgs for: domain; purge
  [Debug]: Contacting : http://accm01.acme.com:80/commcli/climap
  [Debug]: Sending to servlet: task=purge&object=domain
  [Debug]: getObjTaskArgs Status: 0
  [Debug]: Number of servlets: 1
  [Debug]: Servlet Name: TaskManager
  [Debug]: Servlet args: task=PurgeDomain
  [Debug]: Servlet args: objecttype=Domain
  [Debug]: Valid Options Array: 4
  d, true, *, true, true, [search_op]domain pattern, search_op=~=, =,!=,>=, or <=, domain, ,
  S, true, , false, true, service(s) to be purged, services, ,
  g, true, 10, false, true, grace period (days), purgegrace, ,
  r, false, , false, true, recursively delete subentries, recursive=yes, ,
  [Debug]: DBG: getObjTaskArgs done
  [Debug]: servInfo len = 1
  [Debug]: argVal =*
  [Debug]: servCommand =task=PurgeDomain&objecttype=Domain&domain=*
  [Debug]: argVal =0
  [Debug]: servCommand =task=PurgeDomain&objecttype=Domain&domain=*&purgegrace=0
  [Debug]: Contacting : http://accm01.acme.com:80/commcli/TaskManager
  [Debug]: To servlet: task=PurgeDomain&objecttype=Domain&domain=*&purgegrace=0
  [Debug]: RECV: OK
  [Debug]: RECV:
  [Debug]: CLITask: status returned =OK
  OK
  [Debug]: DBG: doOne returned code=0
  [Debug]: Contacting : http://accm01.acme.com:80/commcli/logout
  [Debug]: Logout ...
  [Debug]: RECV: SSOToken id AQIC5wM2LY4SfczYpHHUrvgaZnCL10QKi1CbUcI+yMCK72s=@AAJTSQACMDE=#
  [Debug]: RECV: destroyed
  If I then do an LDAP search, I still see the domains there, eventhough I've set mailDomainStatus: removed (as suggested in other threads)
  dn: o=test3.dk,dc=acme,dc=com
  o: test3.dk
  sunNameSpaceUniqueAttrs: uid
  sunMaxUsers: -1
  sunOrgType: full
  sunPreferredDomain: test3.dk
  sunEnableGAB: false
  preferredMailHost: msg01.acme.com
  mailClientAttachmentQuota: -1
  mailDomainDiskQuota: -1
  objectClass: inetdomainauthinfo
  objectClass: sunismanagedorganization
  objectClass: top
  objectClass: sunnamespace
  objectClass: sundelegatedorganization
  objectClass: sunmanagedorganization
  objectClass: maildomain
  objectClass: icscalendardomain
  objectClass: organization
  icsDWPBackEndHosts: cal01.acme.com
  icsStatus: Active
  preferredLanguage: en
  sunRegisteredServiceName: DomainMailService
  sunRegisteredServiceName: GroupMailService
  sunRegisteredServiceName: iPlanetAMAuthMembershipService
  sunRegisteredServiceName: UserMailService
  sunRegisteredServiceName: iPlanetAMAuthService
  sunRegisteredServiceName: iPlanetAMAuthConfiguration
  sunRegisteredServiceName: UserCalendarService
  sunRegisteredServiceName: iPlanetAMPolicyConfigService
  sunRegisteredServiceName: iPlanetAMAuthLDAPService
  sunRegisteredServiceName: DomainCalendarService
  sunNumUsers: 0
  sunAvailableServices: earth:10:0
  inetDomainStatus: removed
  mailDomainStatus: removed
  3) Not a lot.
  4) Organizations removed from LDAP, as it is now they are blocking should I want to re-add them, and of course filling up LDAP :-/

• In Portal Content admin Role "Portal content" folder is not displaying

  Hi,
        I created a user in EP and assign Only Content admin Role. But in portal content area "Portal content "folder is not displaying.
  Can someone help me the process steps to achieve it?
  Thanks,
  kundan

  It is because the user has no proper permissions  to the porta content folder.
  you should give atleast read permission to the portal content folder to the content_admin role or to the users who have content admin role.
  also make sure the end user check box is checked at the time of giving permissions.
  Otherwise give eevryone group as read permisisons to the portal content folder. then you can see the portal content folder with read permissiosn only.
  Raghu
  Edited by: Raghavendranath Garlapati on Sep 1, 2009 9:32 AM

• Is there any way to create admin role only for one resource.

  Hi all,
  I am trying to create an admin role with 'update user' capability. But I want to restrict the user(with the admin role) to be able to update a user's attribute only for one resource, The user(with the admin role) should not be able to update the attributes of the other resources which a user have.
  Is there any way to create admin role only for one resource?
  I customized the tabbed user form to show only one resource attribute (deleting the missing fields and adding my tab for the resource) and then assigned this new User Form to the user(with the admin role) in security tab.
  It works fine. But the problem is that if any user(with the admin role) is also admin of some other resource then he/she will not be able to view the other resource attributes.
  Please suggest,
  thanks

  The loop function always repeats the same region so of course the fade is also copied. So option+drag the original region to make a (non clone) copy, fade the first region and loop the second one (which you just copied).

• Pictures not loaded in a Web Page Composer site without admin role

  Hello!
  I have got an new problem concerning SAP Web Page Composer.
  I have created an new site with some paragraphs and some pictures. The problem is when I, with admin role, access this site I am able to see everything. When another user, without admin role, is trying to access this site he is able to see everything but the pictures. All paragraphs or linklists are displayed but the pictures are not available. When giving the user the admin role he also become able to see the pictures.
  I know it is a permisson problem but not know where I forgot to set the permissions to "every user". But I do not understand why this is only concerning the pictures and every other Web Page Composer element is displayed properly, although the pictures permissions set to the same as the other elements. When trying to access the pictures by the user without admin role NetWeaver is throwing following exception:
  "com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)"
  Thanks for your help in advance!
  Regards
  Georg

  The whole exception:
  [EXCEPTION]
  com.sapportals.portal.prt.runtime.PortalRuntimeException: Access is denied: pcd:portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs - user: Manager,
  at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1932)
  at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.refresh(PortalComponentContextItem.java:234)
  at com.sapportals.portal.prt.core.broker.PortalComponentContextItem.getContext(PortalComponentContextItem.java:316)
  at com.sapportals.portal.prt.component.PortalComponentRequest.getComponentContext(PortalComponentRequest.java:387)
  at com.sapportals.portal.prt.connection.PortalRequest.getRootContext(PortalRequest.java:488)
  at com.sapportals.portal.prt.core.PortalRequestManager.runRequestCycle(PortalRequestManager.java:607)
  at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:240)
  at com.sapportals.wcm.portal.connection.KmConnection.handleRequest(KmConnection.java:52)
  at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
  at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
  at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
  at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
  at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
  at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
  at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
  at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:104)
  at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:176)
  Caused by: com.sapportals.portal.pcd.gl.PermissionControlException: Access denied (Object(s): portal_content/every_user/general/eu_role/com.sap.km.home_ws/com.sap.km.hidden/com.sap.km.urlaccess/com.sap.km.docs)
  at com.sapportals.portal.pcd.gl.PcdFilterContext.filterLookup(PcdFilterContext.java:422)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1248)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.basicContextLookup(PcdProxyContext.java:1254)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookupLink(PcdProxyContext.java:1353)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.proxyLookup(PcdProxyContext.java:1300)
  at com.sapportals.portal.pcd.gl.PcdProxyContext.lookup(PcdProxyContext.java:1067)
  at com.sapportals.portal.pcd.gl.PcdGlContext.lookup(PcdGlContext.java:68)
  at com.sapportals.portal.pcd.gl.PcdURLContext.lookup(PcdURLContext.java:238)
  at javax.naming.InitialContext.lookup(InitialContext.java:347)
  at com.sapportals.portal.prt.deployment.DeploymentManager.getPropertyContentProvider(DeploymentManager.java:1919

• OIM Read only Admin Role

  Hello Everyone
  Is there something like read-only OIM Admin role?. My manager wants to just see everything done by a system administrator or xelsysadmin . He doesn't want to modify any date, but he just wants to access everything added by the administrator.
  Thank You

  Hi,
  I hope you are using OIM 11g R2.
  If yes, then OOTB OIM provides many Admin Roles under organization section. For example: User Viewer, HelpDesk, Org Admin etc.
  You can use any of the OOTB admin roles to fulfill your requirement.
  HTH
  J

• Creation of new admin role in Exchange Online Protecion

  HI,
  I am brand new with the Exchange Online Protection solution.
  I want to create a new admin role since the default one do not offer teh specific rights that we need for a group.
  I went in Exchange admin Center > Permissions > Admin role and we can only edit the actual default groups.
  I need to be able to create new one.
  I did read somewere some powershell command but, since this is cloud base solution, i have hard time to believe that there is no option to create a custom role on the actual web interface of EOP.
  Anybody have a solution for that ?
  Thx

  Hi,
  as far as I can see you can't create roles in EOP because there is access necessary to Exchange Online. EOP has only limited access to Exchange Online or no access. It seems to me that managing roles is not part of EOP.
  To be sure you should open a support case in the admin center.
  Greetings
  Christian
  Christian Groebner MVP Forefront